Malware Alert: Rootkit-Based Skype Worm Opens Backdoors

Just like its sibling in the Conficker family, it restricts access to AV websites and kills removal tools


While both Yahoo!® Messenger and MSN Messenger have been massively exploited by IM worms, Skype users have been less exposed to this type of e-threat.  It is true that hyperlink-sending worms are hardly news in the current malware landscape, and multiple variants affecting various IM services are in the wild, but most of them are extremely easy to remove and don’t come with an additional method of protection. Unlike average IM worms, Backdoor.Tofsee features an extensive set of tricks to deter detection and removal, as well as a wide assortment of ways to harm both the user and their computer.

The worm relies on social engineering to lure the user into downloading and executing a copy of itself on the local machine. It looks for the system locale settings (country, language and currency) in order to determine which language to send its messages in.  It can use English, Spanish, Italian, Dutch, German, and French to send itself to either Skype™ or Yahoo!® Messenger contacts. The alleged conversations will always be different from the previous messages and will be constantly updated from a remote location.

Infected Link

Plus, in order to avoid suspicion, the worm will only send the message during an on-going conversation, rather than randomly starting one-link monologues.  As the unwary user clicks on the infected link, they  will be redirected to a spoofed page impersonating Rapidshare. If the user continues the download process by clicking the alleged Rapidshare download link, they  get a zipped archive called Upon extraction, the archive reveals an executable file with a deceptive name: The file looks like a JPG, followed by an URL.

 However, trailing .com is actually the file format revealing an MS-DOS executable application. Once executed, the infected binary queries the Windows Registry to see if either Skype or Yahoo Messenger is installed. If neither application is to be found on the computer , the worm will exit without infecting the system. If they are, the worm ensures that it is not being analyzed in a virtual machine by checking the Performance Counter.

Tick Count

should the worm detect that it is running in a virtual machine or inside a debugger, it automatically terminates itself, else it creates create a suspended child process and subsequently inject the worm’s decrypted overlay in it. After the successful injection, the child process is resumed and the parent process kills itself.

In order to hide itself from the operating system, the worm deploys its last line of defense: a rootkit driver that conceals files, monitors the global Internet activity originating from the infected machine and prevents access to the URLs associated with antivirus vendors, online scanners, tech support forums and, of course, Windows Update. As a novelty, the worm also denies access to a certain number of high-profile download portals that might host removal tools or antivirus utilities.

Gmer mini

After having successfully compromised the system, the worm adds itself to the Startup key in the Windows Registry; it also deactivates the Windows Firewall in order to breach the local security and to allow a remote attacker to connect to the worm’s backdoor component. To make things worse, the rootkit component also prevents the installation of any file known to be an antivirus product. Backdoor.Tofsee identifies these files by their filename, so renaming the blocked file should solve the issue.

The worm’s spreading mechanism isn’t reduced to spamming itself via Skype and YIM; it also copies itself on any attached USB storage devices it finds by replicating its binary in a newly-created folder called ~secure and creating an autorun.inf file to point to it. A secondary folder, called Temp002 is also generated and a binary file infected with Trojan.Vaklik.AY is planted inside it. All the created files have the archive, hidden and system attributes set to 1 in order to conceal them from the Windows Explorer shell.

Backdoor.Tofsee is a high-risk piece of malware that allows a remote attacker to take complete control over the infected machine and use it for various illegal purposes. In order to stay safe, you are advised to install and regularly update a complete antimalware solution with antispam, antiphishing, antivirus and firewall modules.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.